i want to use the overflow in some methods of the program to run another function win()
#define MAX_PRIORITY_STRSIZE 10 /* len(str(2**32)) */
#define MAX_TITLE_SIZE 0x20
#define MAX_TODOS 0x30
void win(void)
{
execl("/bin/get_flag", "get_flag", NULL);
}
bool read_title(char* buf, size_t buf_size)
{
if(!fgets(buf, buf_size, stdin))
{
printf("Could not read title...n");
return false;
}
if(buf[0] == 'n')
{
printf("Title cannot be empty!n");
return false;
}
/* Remove newline in title */
strtok(buf, "n");
if(strlen(buf) > MAX_TITLE_SIZE)
{
printf("Title too long!");
return false;
}
return true;
}
bool read_priority(char* priority_buf, size_t buf_size, int32_t* ret)
{
printf("Priority: ");
if(!fgets(priority_buf, buf_size, stdin))
{
printf("Could not read priority...n");
return false;
}
if(sscanf(priority_buf, "%d", ret) != 1)
{
printf("Invalid input!");
return false;
}
return true;
}
void print_welcome(void)
{
printf("Welcome to ToDo-List-as-a-Service Demo!n"
"Manage ToDo-List to your liking with a simple terminal interface!n");
}
void print_menu(void)
{
puts("=================================");
puts(" What would you like to do next?");
puts(" A: Add ToDo");
puts(" C: Mark ToDo as completed");
puts(" D: Delete ToDo");
puts(" E: Edit ToDo Title");
puts(" I: Increase Priority");
puts(" L: List ToDos");
puts(" P: Edit ToDo Priority");
puts(" Q: Quit");
puts("=================================");
printf("> ");
}
The functions above are what’s important for this question. During testing I’ve found that :
- During add ToDo, if we input large amounts of numbers in priority, the title will be automatically part of the inputted numbers in priority without further entering the title, e.g.
a
Priority: 1111111111111111111111111111111
Title: ToDo ‘11111111111111111111’ added!
- If we edit said ToDo’s priority to large amount of numbers, specifically more than 9 digits, the title also changes however into other numbers.
I’m sure this could be a buffer overflow problem and we could exploit this to run the win() program, but I don’t know which inputs to put. I ran lldc (since I use a mac) and found out that win_address = 0x100003040
main_address = 0x1000039b0
New contributor
Darren Hendarmin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
1